Google released an emergency update for Chrome warning that an exploit exists in the wild. Two vulnerabilities are rated high in severity, and one has been reported as a zero-day. CVE-2019-13721 and CVE-2019-13720 are use-after-free issues in the PDFium library and audio component, respectively. An attacker can trick a user into visiting a malicious website and therefore bypass sandbox protections to execute arbitrary code on the target machine. Vulnerability Management System can prevent these attacks.
The advisory states that CVE-2019-13720 has been actively exploited. Kaspersky reported and analyzed the Chrome zero-day and gave the moniker Operation WizardOpium to these attacks. While there is no concrete evidence about the threat actor using the zero-day, they presume there could be overlaps with the Lazarus and DarkHotel attacks. A good vulnerability management tool can resolve these issues.
As detailed by Kaspersky, the attackers carried out a watering-hole attack by compromising a Korean-language news portal. The main page infected with a malicious script that loads another script from an attacker-controlling website. This script performs certain checks to determine the system configuration and browser version before infection. Then a few requests are to the server to download chunks of exploit code, a URL to the image file that embeds a key for the final payload, and an RC4 key used to decrypt exploit code.
The exploit CVE-2019-13721 utilizes a race condition between two threads which arises due to an improper synchronization between them. This leads to a use-after-free condition that allows an attacker to execute arbitrary code. However, The use-after-free leaks the 64-bit addresses, which can be of use to figure out the location of the heap/stack, thereby bypassing the ASLR. An attacker can determine the heap layout for successful exploitation. The exploit gives an attack read/write permissions by allocating or freeing up the memory, which is of use to craft a special object that can be of use with WebAssembly and FileReader to achieve arbitrary code execution.
Affected Products
Google Chrome versions before 78.0.3904.87
Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
Solution for CVE-2019-13721
Please refer to this KB Article, which KB Article now replaces to apply the patches using SanerNow.
Therefore, We strongly recommend users of Google Chrome install the latest security updates without delay.